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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  ADVANCED  RESEARCH 

PROJECTS  AGENCY 

SUBJECT:  Audit  Report  on  the  Information  Assurance  in  the  Advanced  Logistics 
Program  (Report  No.  D-2000-122) 


We  are  providing  this  audit  report  for  information  and  use.  We  considered 
management  comments  on  a  draft  of  this  report  in  preparing  the  final  report 

Comments  on  the  draft  of  this  report  conformed  to  the  requirements  of  DoD 
Directive  7650.3  and  left  no  unresolved  issues.  Therefore,  no  additional  comments  are 
required. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  Questions  on  the  audit 
should  be  directed  to  Mr.  Raymond  A.  Spencer  at  (703)  604-9071  (DSN  664-9071) 
(rspencer@dodig.osd.mil)  or  Mr.  Roger  H.  Florence  at  (703)  604-9067 
(DSN  664-9067)  (rflorence@dodig.osd.mil).  See  Appendix  C  for  the  report 
distribution.  The  audit  team  members  are  listed  inside  the  back  cover. 


David  K.  Steensma 
Deputy  Assistant  Inspector  General 
for  Auditing 
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Report  No.  D-2000-122  May  12,  2000 

(Project  No.  D2000-AB-0074.00) 


Information  Assurance  in  the  Advanced  Logistics  Program 


Executive  Summary 


Introduction.  The  Advanced  Logistics  Program  is  jointly  funded  by  the  Defense 
Advanced  Research  Project  Agency  and  the  Defense  Logistics  Agency  to  explore 
information  technology  capabilities  in  support  of  the  Joint  Vision  2010  and  the  focused 
logistics  operational  concept.  The  Defense  Advanced  Research  Project  Agency  issued 
an  other  transaction  agreement,  in  1996,  to  the  Advanced  Logistics  Program  Integration 
and  Engineering  Consortium  for  the  prototype  development.  The  program  is  a 
five-year,  $59.2  million  effort  and  has  completed  its  third  year. 

The  objectives  of  the  Advanced  Logistics  Program  were  to  define,  develop,  and 
demonstrate  advanced  information  technologies  that  would  assist  in  placing  materiel  and 
capabilities  at  the  right  place  at  the  right  time  as  well  as  having  the  ability  to  track, 
refurbish,  sustain,  and  redeploy  those  assets  more  effectively.  The  Advanced  Logistics 
Program  will  develop  information  technology  capabilities  in  four  areas:  automated 
logistics  planning,  real-time  logistics  situation  assessment,  end-to-end  logistics 
movement  control,  and  rapid  supply . 

Objectives.  The  audit  objective  was  to  evaluate  whether  the  requirements  for 
information  assurance,  total  asset  visibility,  and  acquisition  strategy  planning  for  the 
Advanced  Logistics  Program  were  being  properly  addressed. 

Results.  The  Defense  Advanced  Research  Project  Agency  is  developing  and 
demonstrating  an  advanced  information  technology  capability  for  the  DoD  logistics 
community’s  use  without  conducting  an  information  assurance  risk  assessment  to 
evaluate  the  security  risks  associated  with  the  technology  development.  Defense 
agencies  and  Military  Departments  have  monitored  the  technology  development,  but 
have  not  made  financial  commitments  to  continue  the  program.  The  lack  of  a  security 
risk  assessment  is  a  deterrent  to  transitioning  the  Advanced  Logistics  Program 
information  technology  to  Defense  agencies  and  Military  Departments.  As  a  result,  the 
advanced  information  technology  capability  will  be  offered  to  the  Defense  agencies  and 
Military  Departments  without  assessing  the  potential  technology  security  risks  to  its 
users.  See  Appendix  A  for  details  on  the  management  control  program. 

Recommendation.  We  recommend  that  the  Director,  Defense  Advanced  Research 
Projects  Agency,  perform  an  information  assurance  risk  assessment  for  the  Advanced 
Logistics  Program  before  development  is  completed  and  before  it  is  introduced  to  the 
Defense  agencies  and  the  Military  Departments. 
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Management  Comments.  The  Director,  Defense  Advanced  Research  Projects 
Agency,  concurred  and  stated  that  the  Sandia  National  Laboratory  was  commissioned  to 
perform  an  information  risk  assessment  starting  in  July  2000.  A  discussion  of 
management  comments  is  in  the  Finding  section  of  the  report,  and  the  complete  text  of 
the  management  comments  is  in  the  Management  Comments  section. 
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Background 


The  Advanced  Logistics  Program  (ALP)  explores  opportunities  to  connect 
logistics  and  operations  information  in  an  operational  plan  in  support  of  the  Joint 
Vision  2010  and  the  operational  concept  of  focused  logistics.  The  Defense 
Advanced  Research  Project  Agency  (DARPA)  and  the  Defense  Logistics 
Agency  jointly  funded  the  information  technology  program  in  partnership  with 
the  Joint  Staff  and  the  U.  S.  Transportation  Command.  The  ALP  is  a 
$59.2  million,  five-year  program  that  will  conclude  in  FY  2001.  The  ALP 
objective  is  to  develop  and  demonstrate  through  software  and  procedures  the 
ability  to  connect  information  technology  operations  and  logistics  databases  to 
manage  the  DoD  logistics  pipeline.  Specifically,  ALP  will  produce  and 
demonstrate  advanced  information  technologies  that  assist  in  putting  the  right 
materiel,  in  the  right  place,  at  the  right  time,  with  reduced  reliance  on  large 
DoD  inventories  and  at  a  reduced  cost. 

The  ALP  will  define,  develop,  and  demonstrate  information  technologies  that 
will  allow  the  logistics  community  to  deploy,  track,  refurbish,  and  redeploy 
logistics  and  transportation  assets  more  efficiently.  Those  technologies  will  be 
demonstrated  by  a  prototype  that  couples  continuous  planning  and  execution 
monitoring.  Key  to  the  success  of  ALP  will  be  the  development  of  a  software 
architecture  that  can  rapidly  derive  detailed  logistics  plans  from  operational 
requirements. 

The  ALP  will  be  able  to  interconnect  applicable  databases  to  the  following  four 
areas: 

•  Automated  logistics  planning  that  will  link  the  joint  operational  and  joint 
logistical  planning  and  execution  processes  to  produce  Timed  Phased 
Force  Deployment  Data  in  1  hour.  The  plan  will  include  data  from  the 
highest  to  the  lowest  military  echelon. 

•  Real-time  situation  assessment  that  will  develop  technologies  and 
methods  for  providing  users  at  all  echelons  with  the  ability  to  assess  the 
logistics  situation  by  converting  logistics  data  into  visual  images  to 
understand  current  and  project  future  situations. 

•  End-to-end  movement  control  that  will  develop  technologies  and  methods 
to  control  the  transportation  and  logistics  pipeline  by  automated 
development  of  transportation  plans  and  continuous  monitoring 
techniques  to  optimize  lift  assets  and  minimize  staging. 

•  Rapid  supply  that  will  develop  technologies  and  methods  necessary  to 
establish  interoperable  connectivity  and  access  to  DoD  and  commercial 
vendors,  suppliers,  and  manufacturers  to  increase  materiel  readiness, 
decrease  cycle  times  for  satisfying  materiel  requirements,  and  reduce 
DoD  inventory  and  overhead  cost. 
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DARPA  issued  a  prototype  other  transaction  agreement  for  the  development  of 
the  ALP.  Other  transaction  agreements,  authorized  under  10  U.S.C.  2371,  are 
instruments  other  than  contracts,  grants,  and  cooperative  agreements,  which  are 
used  to  stimulate,  support,  acquire  research,  or  develop  prototype  projects. 
While  initially  developed  for  advanced  research  projects,  the  National  Defense 
Authorization  Act  of  FY  1994,  section  845,  augmented  the  other  transaction 
agreement  authority  for  prototype  projects  that  are  directly  relevant  to  weapons 
or  weapon  systems.  Section  845  may  be  used  even  when  a  traditional  contract 
would  be  feasible  or  appropriate. 

Objectives 


The  audit  objective  was  to  evaluate  whether  the  requirements  for  information 
assurance,  total  asset  visibility,  and  acquisition  strategy  planning  for  the  ALP 
were  being  properly  addressed.  See  Appendix  A  for  the  summary  of  the  scope 
and  methodology  and  Appendix  B  for  results  related  to  the  total  asset  visibility 
and  acquisition  strategy  planning  objectives. 
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Information  Assurance  for  the  Advanced 
Logistics  Program 

DARPA  is  developing  and  demonstrating  an  information  technology 
capability  without  properly  addressing  information  assurance  (security 
risk).  DARPA  officials  believed  that  the  development  of  the  information 
technology  capabilities  was  research  related  and  therefore  did  not 
conduct  a  security  risk  assessment.  As  a  result,  DARPA  will  be  offering 
the  ALP  information  technology,  funded  at  $59.2  million,  to  Defense 
agencies  and  Military  Departments  without  knowing  the  potential  risks. 
Also,  the  lack  of  a  security  risk  assessment  may  deter  Defense  agencies 
and  Military  Departments  from  expressing  a  committed  interest  in  the 
ALP. 

Background 

The  ALP’s  goal  is  to  demonstrate  an  end-to-end  automated  information 
technology  logistics  concept  for  focused  logistics.  Focused  logistics  is  intended 
to  combine  logistics  information  and  transportation  technologies  for  rapid  crisis 
response,  deployment,  and  sustainment  and  to  track  and  shift  units,  equipment, 
and  supplies  while  en  route  to  the  warfighter.  The  ALP  mission  is  to 
investigate,  design,  develop,  and  demonstrate  a  prototype  logistics  system  that  is 
based  on  advanced  information  technology.  The  ALP  has  completed  3  years  of 
a  5-year  program,  with  a  planned  expenditure  of  $59.2  million.  ALP  will 
provide  the  capability  to  obtain  information  from  logistics  and  operations 
systems  and  provide  operational  users  with  the  ability  to  rapidly  plan,  execute, 
and  replan  for  more  responsive  and  efficient  logistical  support. 

Advanced  Logistics  Program  Development  and 
Demonstrations 


The  ALP  prototype  system  is  an  assembly  of  computer  hardware,  software,  and 
firmware  configured  to  collect,  create,  communicate,  compute,  process,  store 
and  or  control  data  or  information.  The  ALP  prototype  system’s  capabilities 
were  coordinated  with  potential  users  in  workshops  and  demonstrations.  The 
workshops  involved  discussions  on  the  evolving  strategies,  plans,  and 
requirements  for  transitioning  the  ALP  technologies.  The  workshop  attendees 
included  representatives  from  the  Joint  Staff,  the  Defense  Logistics  Agency,  the 
Military  Departments,  the  U.  S.  Transportation  Command,  and  the  U.  S.  Forces 
Command.  In  1997  and  1999,  two  demonstrations  were  conducted  to  exhibit 
the  information  technology  capabilities  that  were  being  developed.  The 
scenarios  included  real-time,  detailed  logistics  planning  involving  a  major  force 
deployment  to  Southwest  Asia.  Those  demonstrations  used  information 
databases  from  the  Defense  Logistics  Agency,  the  U.  S.  Transportation 
Command,  the  U.  S.  Central  Command,  and  the  U.  S  Forces  Command  to 
obtain  database  information  from  the  Global  Transportation  Network,  the  Joint 
Total  Asset  Visibility  System,  and  the  Global  Decision  Support  System  to  show 
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how  logistics  planning  could  be  accomplished  using  existing  databases  from 
various  logistics  and  operational  commands.  The  demonstrations  were 
conducted  under  a  “read  only”  condition,  with  unclassified  databases,  thus 
ensuring  the  demonstrations  did  not  corrupt  or  otherwise  impact  operational 
information. 

An  expanded  ALP  demonstration  was  conducted  in  February  2000  to  analyze 
the  technical  capability  of  the  ALP  infrastructure  and  to  demonstrate  an  ALP 
network  “read  only”  capability,  the  ability  to  perform  replanning,  and  the 
ability  to  function  with  real-world  communication  systems.  The  participants  in 
this  demonstration  were  the  same  as  in  previous  demonstrations  but  included 
selected  operational  units.  As  with  previous  demonstrations,  the  ALP 
technology  was  limited  to  “read  only”  and  included  only  unclassified  databases 
from  the  participants. 

Information  Assurance 


In  response  to  information  assurance  (security)  concerns  voiced  by  attendees 
during  the  January  1999  ALP  demonstration,  DARPA  developers  incorporated 
commercial  information  technology  capabilities  in  the  ALP  technology. 
Information  assurance  is  a  measure  of  confidence  that  security  features, 
practices,  procedures,  and  the  architecture  of  an  information  technology  system 
accurately  mediate  and  enforce  the  security  policy.  Information  assurance 
measures  and  controls  confidentiality,  integrity,  availability,  and  accountability 
of  the  information  processed  and  stored  by  a  computer. 

In  October  1999,  developers  incorporated  three  commercial-off-the-shelf 
security  products  consisting  of  Public  Key  Infrastructure  (PKI)  Enabling,  the 
signing  of  Java  JAR  files,  and  Internet  Protocol  (IP)  security.  The  PKI  provides 
message  authentication  and  integrity  for  communications  between  users;  Java 
JAR  will  prevent  malicious  code  from  being  downloaded  into  the  ALP  prototype 
system;  and  the  IP  will  provide  secure  encrypted  communications  between  ALP 
sites.  All  three  commercial-off-the-shelf  security  products  were  installed  into 
the  ALP  architecture  without  a  risk  or  vulnerability  assessment.  Officials  plan 
to  test  the  security  measures  implemented  in  the  ALP  architecture  during  the  last 
year  of  the  program. 

Although  DARPA  developers  considered  information  assurance,  they  did  not 
conduct  an  assessment  of  the  security  risks  to  the  potential  users  of  the  ALP 
technology.  Without  a  risk  assessment,  potential  ALP  technology  users  would 
either  use  the  technology  not  knowing  the  potential  risks  or  conduct  a  review 
themselves  prior  to  using  the  technology. 

Information  Technology  Guidance 


Office  of  Management  and  Budget  Circular  A- 130,  “Management  of  Federal 
Information  Resources,”  February  8,  1996,  established  Government  policy  for 
information  systems.  Circular  A- 130,  Appendix  III,  “Security  of  Federal 
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Automated  Information  Resources,”  states  that  a  system  should  normally  include 
hardware,  software,  information,  data,  applications,  communications,  and 
people.  Appendix  III  also  states  that  a  major  application  requires  special 
attention  to  security  because  of  the  risk  and  magnitude  of  the  harm  resulting 
from  the  loss,  misuse,  or  unauthorized  access  to  or  modification  of  the 
information  in  the  application. 

DoD  Instruction  5200.40,  “DoD  Information  Technology  Security  Certification 
and  Accreditation  Process,”  December  30,  1997,  provides  DoD  managers  with 
a  unified  standard  process  to  incorporate  adequate  computer  security  into  their 
systems.  DoD  Instruction  5200.40  defines  an  architecture  as  the  configuration 
of  any  equipment  or  interconnected  system  or  subsystem  of  equipment  that  is 
used  in  the  automatic  acquisition,  storage,  manipulation,  management, 
movement,  control,  display,  switching,  interchange,  transmission,  or  reception 
of  data  or  information.  DoD  Instruction  5200.40  defines  a  system  as  a  set  of 
interrelated  components  consisting  of  a  mission,  environment,  and  architecture. 
The  ALP  has  both  system  components  and  architecture. 

The  Office  of  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  recognizes  that,  due  to  advances  in 
information  technology  and  the  increased  vulnerabilities  to  the  Defense 
Information  Infrastructure,  security  planning  should  begin  with  technology 
development.  Information  technology  developers  have  a  responsibility  to  users 
to  implement  information  assurance  technology  from  the  beginning  of  the 
project.  The  use  of  prototypes  does  not  eliminate  the  need  for  formal  metrics 
and  inspections  of  a  project;  rather,  prototypes  should  highlight  the  need  for 
security  measures  to  be  implemented.  Therefore,  a  risk  management  plan 
should  be  established  to  accomplish  feasible  security  measures  and  should 
remain  active  throughout  the  project’s  life-cycle  to  identify  and  mitigate  risks 
before  they  become  serious  problems. 

The  DARPA  developers  stated  that  the  Defense  agencies  and  Military 
Departments  that  acquire  ALP  will  determine  the  information  assurance 
(security)  requirements  for  their  systems  and  will  also  be  responsible  for  the 
cost  of  adding  security  and  completing  a  risk  assessment  and  accreditation. 
DARPA  developers  believed  that  security  would  evolve  as  the  system  stabilizes 
and  also  stated  that  there  was  no  requirement  to  perform  a  risk  assessment 
because  the  ALP  was  a  research  effort. 

Transition  Plan 


Defense  agencies  and  Military  Departments  have  not  expressed  a  committed 
interest  in  the  ALP  information  technology  effort,  which  is  scheduled  to  end 
October  2001,  although  DARPA  officials  have  attempted  to  obtain 
commitments. 
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Defense  agencies  and  Military  Departments  indicated  that  they  may  use  parts  of 
the  ALP  technology  in  their  ongoing  or  planned  pilot  programs.  The  following 
are  Defense  agencies  and  Military  Departments  that  may  use  the  ALP 
technology: 

•  DARPA,  in  conjunction  with  the  Defense  Information  Systems  Agency, 
is  using  components  of  the  ALP  information  technology  in  the 
development  of  the  Joint  Logistics  Advanced  Concept  and  Technology 
Demonstrator  (Joint  Logistics  Demonstrator).  The  Joint  Logistics 
Demonstrator  is  a  multi-phase  program,  which  will  provide  an 
experimental  environment  for  logisticians  to  evaluate  developing  decision 
support  tools  and  technologies  for  increased  operational  capabilities. 

The  Joint  Logistics  Demonstrator  provides  the  opportunity  to  evaluate 
the  potential  fielding  of  advanced  technologies  such  as  those  developed 
by  the  ALP  to  satisfy  the  requirements  of  the  joint  Defense  agencies  and 
Military  Departments.  The  Joint  Logistics  Demonstrator  continued 
through  April  2000.  The  technologies  of  the  Joint  Logistics 
Demonstrator  are  planned  to  transition  to  the  DARPA  Joint  Theater 
Logistics  Advanced  Concept  and  Technology  Demonstrator  for  further 
development.  The  Joint  Theater  Logistics  Demonstrator  will  continue  to 
develop  and  demonstrate  advanced  web-based  technologies,  software 
tools,  and  protocols  that  will  produce  a  real-time  capability  to  improve 
the  communications,  coordination,  and  collaboration  between  the 
logistics  and  operations  communities. 

•  The  Defense  Logistics  Agency  plans  to  use  portions  of  the  ALP 
information  technology  in  its  prototype  for  Finished  Goods  Inventory. 
The  ALP  information  technology  will  enable  small  components,  called 
clusters,  to  communicate  with  each  other  using  standard  syntax  and 
protocols.  The  Defense  Logistics  Agency  prototype  is  planned  to  begin 
in  2000. 

•  The  U.  S.  Transportation  Command  plans  to  use  portions  of  the  ALP 
information  technology  in  its  Agile  Transportation  -  AT  2000  Advanced 
Concept  Technology  Demonstrator.  The  ALP  will  provide  the 
foundation  for  handling  various  database  integrations.  The  AT  2000 
Advanced  Concept  Technology  Demonstrator  is  planned  to  improve  the 
current  Defense  Transportation  System.  Officials  of  the 

U.  S.  Transportation  Command  have  requested  $45  million  in  FY  2001 
for  the  AT  2000  Advanced  Concept  Technology  Demonstrator;  however, 
at  the  time  of  this  report,  funding  had  not  been  approved. 

Summary 

DARPA  officials  believed  that  the  development  and  demonstration  of  the  ALP, 
an  information  technology  prototype,  was  a  research  effort  and  therefore  that 
DARPA  was  not  required  to  conduct  a  security  risk  assessment.  Good  business 
practices  would  suggest  that  information  technology  developers  conduct  security 
risk  assessments  to  identify  potential  vulnerabilities  that  the  ALP  technology 
may  introduce.  The  lack  of  a  security  risk  assessment  is  a  deterrent  to 


transitioning  the  ALP  information  technology  to  the  Defense  agencies  and 
Military  Department  who  may  not  be  willing  to  accept  the  cost  and  unknown 
risks  associated  with  implementing  security  into  ALP.  It  has  been  a  tenet  of  the 
computer  community  that  the  cost  to  the  user  for  adding  security  could  be  more 
than  10  times  the  cost  had  security  been  included  in  the  system’s  initial  design 
phase.  If  DARPA  does  not  conduct  an  information  assurance  risk  assessment, 
the  full  capabilities  of  ALP  may  never  materialize. 

Recommendation,  Management  Comments,  and  Audit 
Response 


We  recommend  that  the  Director,  Defense  Advanced  Research  Projects 
Agency,  perform  an  information  assurance  risk  assessment  for  the 
Advanced  Logistics  Program  before  development  is  completed  and  before  it 
is  introduced  to  the  Defense  agencies  and  the  Military  Departments. 

Management  Comments.  The  Director,  Defense  Advanced  Research  Projects 
Agency,  concurred  with  the  recommendation  and  has  arranged  with  the  Sandia 
National  Laboratory's  Secure  Network  and  Information  Systems  Group  to 
perform  an  information  assurance  risk  assessment  during  July  through 
November  2000.  However,  the  Director,  Defense  Advanced  Research  Projects 
Agency,  stated  that  the  Advanced  Logistic  Program  is  a  research  and 
development  project,  not  an  information  system,  and  therefore  was  not  subject 
to  the  guidelines  and  constraints  of  the  Office  of  Management  and  Budget 
Circular  A- 130. 

Audit  Response.  The  Defense  Advanced  Research  Projects  Agency's 
comments  are  responsive  to  the  recommendation  and  the  information  technology 
security  requirements  of  the  Office  of  Management  and  Budget  Circular  A- 130. 
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Appendix  A.  Audit  Process 

Scope  and  Methodology 


Work  Performed.  We  performed  this  economy  and  efficiency  audit  from 
October  1999  through  January  2000,  in  accordance  with  auditing  standards 
issued  by  the  Comptroller  of  the  United  States,  as  implemented  by  the  Inspector 
General,  DoD.  We  did  not  use  computer-processed  data  or  statistical  sampling 
procedures  to  develop  conclusions  on  this  audit.  Members  of  the  Technical 
Assessment  Division,  Office  of  the  Inspector  General,  DoD,  provided  assistance 
during  the  audit.  We  examined  the  ALP  for  security  considerations,  for 
coordination  with  other  DoD  logistics  and  transportation  activities,  and  for 
coordination  of  the  transition  to  potential  users.  To  accomplish  our  objectives, 
we  conducted  meetings  with  key  DARPA  program  officials  and  various  DoD 
organizations,  evaluated  documentation  provided  by  the  officials  and 
organizations,  and  compared  and  analyzed  the  documentation  to  applicable 
criteria. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  on  request. 

DoD-wide  Corporate  Level  Government  Performance  and  Results  Act 
(GPRA)  Coverage.  In  response  to  the  GPRA,  the  Secretary  of  Defense 
annually  establishes  DoD-wide  corporate  level  performance  goals,  subordinate 
performance  goals,  and  performance  measures.  This  report  pertains  to 
achievement  of  the  following  goal,  subordinate  goal,  and  performance  measure. 

FY  2001  DoD  Corporate-Level  Goal  2:  Prepare  now  for  an  uncertain  future 
by  pursuing  a  focused  modernization  effort  that  maintains  U.S.  qualitative 
superiority  in  key  warfighting  capabilities.  Transform  the  force  by  exploiting 
the  Revolution  in  Military  Affairs,  and  reengineer  the  Department  to  achieve  a 
2 1st  century  infrastructure.  (Ol-DoD-2)  FY  2001  Subordinate  Performance 
Goal  2.3:  Streamline  the  DoD  infrastructure  by  redesigning  the  Department's 
support  structure  and  pursuing  business  practice  reforms.  (Ol-DoD-2.3) 
FY2001  Performance  Measure  2.3.4:  Logistics  Response  Time.  (01-DoD- 
2.3.4)  FY2001  Performance  Measure  2.3.5:  Visibility  and  Accessibility  of 
DoD  Materiel  Assets.  (Ol-DoD-2.3.5) 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
has  identified  several  high-risk  areas  in  DoD.  This  report  provides  coverage  of 
the  Defense  Contract  Management  high-risk  area.  Although  other  transactions 
are  not  considered  to  be  contracts,  we  grouped  the  other  transactions  in  this 
high-risk  area  because  their  purpose  is  similar. 
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Management  Control  Program 


DoD  Directive  5010.38,  “Management  Control  Program,”  August  26,  1996, 
requires  DoD  managers  to  implement  a  comprehensive  system  of  management 
controls  that  provides  reasonable  assurances  that  programs  are  operating  as 
intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  the  Management  Control  Program.  We  reviewed  the 
adequacy  of  the  DARPA  management  controls  addressing  information  assurance 
for  die  ALP.  Specifically,  we  reviewed  the  DARPA  controls  for  assessing  the 
adequacy  of  the  management  and  administration  of  information  security  for  the 
ALP  design  and  development. 

Adequacy  of  Management  Controls.  We  identified  a  material  management 
control  weakness  as  defined  by  DoD  Instruction  5010.40.  Management  controls 
were  not  adequate  to  ensure  that  information  assurance  was  properly  addressed 
and  evaluated  during  the  ALP  development.  The  recommendation,  if 
implemented,  will  ensure  that  proper  considerations  are  made  for  information 
assurance.  A  copy  of  this  report  will  be  provided  to  the  DARPA  senior  official 
responsible  for  management  controls. 

Adequacy  of  Management's  Self-Evaluation.  The  DARPA  management  did 
not  identify  information  assurance,  or  the  ALP,  as  an  assessable  unit  and  did  not 
perform  a  self-evaluation.  Therefore,  we  were  unable  to  determine  whether 
management  could  have  identified  the  material  management  control  weakness. 
DoD  identified  information  assurance  as  a  significant  internal  management 
control  problem  (DoD  systemic  control  deficiency)  in  its  FY  1999  Annual 
Statement  of  Assurance. 

Prior  Coverage 


No  prior  coverage  has  been  conducted  on  the  subject  in  the  last  5  years. 
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Appendix  B.  Transition  Plans  and  Funding 


The  ALP  had  completed  the  third  year  of  a  5 -year  information  technology 
prototype  program  and  officials  had  begun  to  discuss  the  transitioning  of  its 
architecture  with  the  logistics  and  transportation  organizations.  The  transition’s 
success  will  depend  on  the  success  of  the  pilot  programs  to  incorporate  the  ALP 
architecture. 

Transition  Goals  and  Plans.  Goals  for  the  ALP  include  transitioning  some  of 
its  components  as  applications  directly  to  the  Defense  agencies  and  Military 
Departments.  The  following  chart  identifies  the  organizations  and  their  pilot 
programs  that  will  incorporate  parts  of  the  ALP  architecture.  However,  the 
organizations  were  in  the  process  of  obtaining  program  approval  and  funds  for 
their  respective  pilot  programs. 


Organization  Pilot  Program 

Defense  Logistics  Agency  Finished  Goods  Inventory 

U.S.  Transportation  Command  Agile  Transportation  Advanced  Concept 

Technology  Demonstrator 


The  short-term  goals  for  the  ALP  are  to  transition  some  components  as  tools 
through  the  DARPA  Joint  Logistics  Demonstrator  and  the  Joint  Theater 
Logistics  Advanced  Concept  Technology  Demonstrator.  Long-term  goals  for 
the  ALP  are  to  transition  technologies  to  the  Global  Combat  and  Control  System 
and  the  Global  Command  Support  System. 

Transition  Funding.  The  DARPA  and  the  Defense  Logistics  Agency  had  not 
budgeted  funds  for  the  ALP  beyond  FY  2001,  and  the  logistics  and 
transportation  communities  had  not  budgeted  for  the  transition  of  ALP 
technology.  Therefore,  the  transition  of  the  ALP  technology  to  Defense 
agencies  and  the  Military  Departments  is  questionable. 

Officials  have  been  unsuccessful  in  obtaining  continued  sponsorship  of  the  ALP 
information  technology  prototype  beyond  the  FY  2001  DARPA-funded  effort. 
Defense  agencies  and  Military  Departments’  use  of  the  ALP  technology  was 
limited  to  pilot  efforts.  Continued  use  of  the  ALP  technology  is  dependent  on 
the  Defense  agencies  and  Military  Departments  obtaining  funds  for  transitioning 
ALP.  As  of  January  2000,  none  of  the  organizations  had  decided  to  provide  the 
necessary  funding. 
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Appendix  C.  Report  Distribution 

Office  of  the  Secretary  of  Defense 


Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 

Director,  Defense  Logistics  Studies  Information  Exchange 

Director,  Defense  Procurement 

Director,  Defense  Research  and  Engineering 


Joint  Staff 

Director,  Joint  Staff 


Department  of  the  Army 

Assistant  Secretary  of  the  Army  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Naval  Inspector  General 

Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 

Unified  Command 

Commander,  U.S.  Transportation  Command 
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Other  Defense  Organizations 

Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Director,  Defense  Advanced  Research  Project  Agency 
Director,  Defense  Information  Systems  Agency 
Inspector  General,  Defense  Intelligence  Agency 


Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget 
General  Accounting  Office 

National  Security  and  International  Affairs  Division 
Technical  Information  Center 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform 

House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
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Defense  Advanced  Research  Projects  Agency 


DEFENSE  ADVANCED  RESEARCH  PROJECTS  AGENCY 
3701  NORTH  FAIRFAX  DRIVE 
ARLINGTON,  VA  22203*1714 


m  r  2000 


MEMORANDUM  FOR  ASSISTANT  INSPECTOR  GENERAL  FOR  AUDITING 
DEPARTMENT  OF  DEFENSE 

SUBJECT:  Response  to  DoD  IG  Draft  Report  on  Advanced  Logistics  Program 

In  response  to  the  draft  report  entitled,  ‘Development  of  the  Advanced  Logistics 
Program,"  dated  February  24, 2000  (Project  No.  0AB-0103),  DARPA  concurs  with  the 
recommendation  of  the  report  and  has  arranged  an  information  assurance  risk  assessment  on  the 
Advanced  Logistics  Project. 

Our  major  exception  to  the  draft  report  is  that  the  Advanced  Logistics  Program  is  a 
research  and  development  project,  not  a  system  acquisition  program,  and  as  such  is  not  subject  to 
same  guidelines  and  constraints  Since  this  project  is  research,  and  its  objectives  were  not  in  the 
information  assurance  domain,  we  maintain  that  management  controls  for  the  project  were 
appropriate  and  adequate 

The  attachment  provides  suggested  changes  to  the  report  We  appreciate  the  opportunity 
to  review  the  DoD  IG  draft  report  Should  you  have  further  questions  regarding  this  response. 

Dr  Todd  Carrico  is  our  technical  point  of  contact.  His  phone  number  is  (703)  526*6616. 


F  L.  Fernandez 
Director 

Attachment 


13 


DARPA  COMMENTS  ON  IG  REPORT 


EXECUTIVE  SUMMARY  COMMENTS 

The  recommendation  in  the  executive  summary,  as  in  the  report,  is  to  perform  an 
Information  risk  assessment  for  the  AUP  technology.  DARPA  concurs  with  this 
recommendation  and  has  commissioned  Sandia  National  Laboratory's  Secure  Network 
and  Information  Systems  group  to  perform  this  assessment.  The  assessment  will  be 
performed  in  the  July-November,  2000  timeframe  and  the  final  report  will  be  available  in 
January  2001.  This  assessment  will  include  those  security  measures  developed  during 
FY  2000  as  well  as  prior  year  developments. 


AUDIT  REPORT  COMMENTS 

(Page  4,  Information  Assurance,  3rd  paragraph) 

Though  DARPA  acknowledges  that  its  information  assurance  risk  assessment  will 
provide  valuable  insights  to  potential  transition  organizations,  it  may  not  completely 
eliminate  the  need  for  an  organization  to  perform  a  further  risk  assessment  to  evaluate  the 
vulnerabilities  of  ALP  against  the  particular  operational  requirement  and  environment  in 
which  it  will  be  fielded. 


(Page  5,  Information  Technology  Guidance,  1*  paragraph) 

The  ALP  program  is  developing  advanced  architecture  technology  to  enable  greater 
automation  and  capability  in  system  developments  employing  the  ALP  architecture 
technology.  Since  ALP  is  an  architecture  technology  and  not  an  application  the  reference 
made  to  OMB  Circular  A-130,  Appendix  m  regarding  government  policy  for  information 
systems  does  not  apply.  Further,  the  reference  made  to  Appendix  HI  in  regards  to  “major 
application"  requirements  is  not  applicable. 


(Page  5,  Information  Technology  Guidance,  2nd  paragraph) 

The  product  to  be  transitioned  at  the  end  of  the  ALP  project  is  just  the  architecture 
technology,  not  the  demonstration  prototype.  Consequently.  DoD  Instruction  5200.40, 
addressing  the  accreditation  of  systems,  does  not  apply.  Acquisition  efforts  using  the 
architecture,  after  defining  the  mission  and  environment  components,  will  consider  the 
certification  and  accreditation  process  identified  in  Do D  Instruction  5200.40. 
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(Page  5,  Informal  ion  Technology  Guidance,  3n*  paragraph) 

The  ALP  program  has  been  engaged  in  early  technology  exploration,  not  traditional 
system  development.  In  its  early  steges,  the  form  and  shape  of  the  technology  solution 
was  not  defined  well  enough  to  enable  the  development  of  a  risk  management  plan,  not 
would  it  have  been  cost  effective  to  consider  such  complications  before  the  core 
technology  innovations  hod  been  developed  and  validated. 


(Page  6,  Transition  Plan,  lrt  paragraph) 

DARPA  contends  that  the  Military  Departments  have  committed  to  the  transition  of 
the  ALP  architecture  to  the  extent  possible  prior  to  pilot  completion.  The  Department  of 
the  Army  and  the  Defense  Logistics  Agency  (DLA)  have  both  sponsored  pilot  projects 
based  on  tbc  ALP  technology.  These  pilot  efforts  are  explicit  evaluations  of  the  ALP 
technology  in  an  operational  environment  for  the  express  purpose  of  determining  the 
viability  of  transitioning  the  ALP  technology.  The  intent  of  both  the  Army  and  DLA  is, 
if  deemed  successful  under  the  pilot  development  activities,  to  transition  the  ALP 
technologies  into  larger  ongoing  or  emerging  information  system  modernization 
activities.  Under  such  a  transition  approach,  no  separate  funding  commitment,  beyond 
those  already  budgeted  for  the  information  system  modernization  activities,  is  required. 


(Page  6,  Transition  Plan,  bullets  1-3) 

In  the  three  citations  of  the  use  of  ALP  technologies,  it  should  be  noted  that  in  all 
cases  it  is  the  component  architecture  technologies  that  have  been  or  are  planned  to  be 
incorporated,  and  not  the  demonstration  prototype.  This  further  supports  DARPA’s 
assertion  that  we  are  building  and  plan  to  transition  an  advanced  architecture  technology 
and  not  a  system. 


(Page  7,  Recommendations) 

The  recommendation  of  this  report  is  to  perform  an  information  risk  assessment  for 
ALP.  DARPA  concurs  with  this  recommendation  and  has  commissioned  Sandia 
National  Labs  Secure  Network  and  Information  Systems  group  to  perform  this 
assessment  The  assessment  will  be  performed  during  the  luly-November  2000, 
timeframe  and  the  final  report  will  be  available  January  2001.  This  assessment  will 
include  those  security  measures  developed  in  the  FY  2000  as  well  as  prior  year 
developments. 
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(Page  9,  Appendix  A,  Management  Control  Program) 


DARPA  disputes  the  contention  that  management  controls  were  not  adequate  during 
the  ALP  development.  Since  information  security  was  not  one  of  the  stated  objectives  of 
the  ALP  technology,  it  was  not  appropriate  to  identify  information  assurance  of  ALP  as 
an  assessable  unit  for  external  or  internal  evaluation  prior  to  July  2000.  Three  points 
need  to  be  reiterated  in  this  regard: 

1.  ALP  is  not  a  system. 

2.  Information  assurance  is  being  addressed  in  the  architecture  through 
incorporation  of  commercial  security  technologies  and  commercial  best 
practices. 

3.  ALP  will  not  be  at  a  state  of  maturity  to  support  an  Information  Assurance 
Risk  Assessment  prior  to  July  2000. 
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